Bypassing Restricted Environments

I just got an email from an old student that is doing a pentest and he asked me about pentesting restricted environments like locked down desktops, citrix, kiosks, etc. I figured I'd put together a blog post on the subject and if people like it I'll do some more blog posts that go deeper into the subject and cover things like bypassing Software Restriction Policy (SRP) and breaking out of sandboxes. So here goes.....

Windows Environments

There are a lot of different ways to lock down a Windows environment. Probably the most widely used method is through Group Policy. Group Policy is basically a set of rules that govern the environment (restriction of access to certain programs, tools, folders etc.).

Opening Windows folders with Internet Explorer

Chances are most key programs and functions that would allow any sort of noteworthy access are blocked in a corporate or public environment. Luckily though, 99% of the time, Internet Explorer is not blocked due to it being a vital part of business functionality. Here, we will use the Shell handler to access Windows folders through Internet Explorer. Basically, if you enter a certain string into the URL bar of IE, an instance of explorer.exe will spawn and browse to the specified folder. Note that these will work with Internet Explorer ONLY.

Here are some examples of different commands:

shell:profile: This command will open up the User Profile for whatever account you are logged in as.

shell:programfiles: Here, the command will open up the Program Files folder.

shell:system: Here, we can open up the system32 folder.

shell:controlpanelfolder: This command opens up the Control Panel.

shell:windows: Finally, we can open up the WINDOWS folder with this command.

Another way to navigate to the Control Panel folder is by entering the following command into the URL bar: shell:::{21EC2020-3AEA-1069-A2DD-08002B30309D}

Accessing cmd.exe through the Microsoft Help and Support Center (this works on win xp and win 2003 not on windows 7)

If access to cmd.exe through ordinary means has been disabled, there is another way of access it. This technique utilizes the Help and Support Center to spawn a command prompt for user interaction. To do this, simply enter the following command into the URL bar in Internet Explorer:

HCP:// Help And Support Center

As you can see, the Help and Support Center window has spawned. Next, type “Command Prompt” into the search bar and hit enter. On the left-hand side of the window under Suggested Topics, you will see a result called “Using Command Prompt”, click it.

Finally, click on the highlighted link named “Command Prompt” and voila, you have a shell!

Show me some love and tweet this Bypassing Restricted Environments

Defeating Blacklists

In some cases, Windows Explorer will have been completely blacklisted. You may not be able to get to it from the Start Menu. Again, we can use Internet Explorer to spawn an explorer.exe window and have it navigate to a specific file location. Here is an example of this relatively simple technique:

By typing C:\windows into the URL bar, we can access the WINDOWS folder on the C: drive

In certain situations, C:\windows may be blocked, luckily though, you can substitute any of these commands. Simply enter any of these into the URL bar to achieve the same result:

File:/C:/windows

File:/C:\windows\

File:/C:\windows/

File:/C:/windows

File://C:/windows

File://C:\windows/

file://C:\windows

C:/windows

C:/windows/

C:/windows\

%WINDIR%

Using the same technique, you can also enter other commands into the URL bar and jump to different file locations:

Command Jumps to

------------- -----------

%TMP% C:\Documents and Settings\Administrator\Local Settings\Temp

%TEMP% C:\Documents and Settings\Administrator\Local Settings\Temp

%SYSTEMDRIVE% C:\

%SYSTEMROOT% C:\WINDOWS

%APPDATA% C:\Documents and Settings\Administrator\Application Data

%HOMEDRIVE% C:\

%HOMESHARE% Fully qualified path to your server based profile

Create a new user and add them to the Administrators Group

This is a simple task, it consists of 2 commands. The syntax of creating a new user is net user *whatever username you want* *whatever password* /add. The syntax of then adding a user to a certain group is net user localgroup *whatever group you want to add the user to* *the user you wish to add* /add. So in this example, we will be creating a user called secure and have their password be ninja, then adding that user to the Administrators group:

Simple privilege escalation (doesn't work in Win 7 and above)

Here, we are going to go from a standard Administrator account up to a system level account with a few simple tricks. First off, on a standard user account, open up a command prompt and type “at”. If the command errors out then you know that this escalation technique will not work, but if it comes back and tells you “There are no entries in the list”, then this method is sure to work for you:

So, now that we know this will work, what we need to do is schedule a job. Here, we are going to schedule an interactive command shell to spawn:

After the shell has been spawned, notice at the title bar that it is not called cmd.exe, but called svchost.exe, that is because it was spawned by the task scheduler service which runs under the Local System account:

Now that we have a command shell running with system privileges, let’s shed this user environment. Go ahead and Ctrl+Alt+Delete to the task manager and under the processes tab, find explorer.exe and kill the process:

You will notice that the desktop has disappeared. Next go back to the system command shell and type in “explorer.exe”. This will spawn a new desktop environment, which because it was spawned from a system level command shell, will be a system level environment:

Creating a program that binds a shell to a port using a batch file

Here we are going to use a batch file to create an executable that binds a command shell to a specified port. This is nice because it is relatively quick and all you have to do is run the batch file; the rest is automatic. So, before we get started let’s have a look at the code:

Most of what’s happening here is that a hex file and DLL are being created. These 2 files are the building blocks that form bind.exe. Once created, bind.exe is being executed and begins listening on a port (in this case port 8080, but you can and should change it to whatever port is necessary in the situation). Once the shell has been bound, the batch file deletes itself and any traces of evidence.

Okay so, once we run the batch file, we can see the executable being created (note that if you run it from command prompt, you will see it in action, if you just double-click on the batch file, the command prompt window will open and close very quickly). Here, it is being run from the command prompt so you can see the output:

Next, let’s check out active connections with a netstat /ano command:

And there she is, waiting on port 8080. And just to be sure, let’s do a tasklist:

Okay, now that we know the batch file worked, and we can see the bind.exe is running and that it is indeed listening, so let’s hop onto our evil Linux machine and see if we can get access. We can simple netcat to the target machine (here using 192.168.3.177 as its IP address) and…

Success! We have a shell. Now all that was done here was send a message to all users logged on to the machine, but I’ll let your imagination run wild with the possibilities of having Administrator access… you evil hacker, you.

Sending a reverse shell using a batch file

Here we are going to essentially do the same thing as we did in the last exercise, but instead of using the attacker machine to go and connect to the target machine, we are going to have the target machine send a shell to the attacker machine.

The code looks very similar to bind.bat from the last exercise. Essentially this is doing the same thing, creating a hex file and DLL file that build an executable. The program is then run (and subsequently the shell sent) and then is deleted.

First off, we need to set our evil hacker box to listen on a port, let’s choose 31337 for this exercise. We will be using netcat again (isn’t it a wonderful tool) to listen on port 31337:

Next, we simply run the batch file on the target machine:

And like clockwork, there is our shell!

Escaping and getting a command prompt

First things first, we need a command prompt before we can do anything else. Let’s navigate to the task manager using Ctrl+Alt+Delete. Next, go to File > New Task (Run…) and type in cmd.exe. That will spawn a new command prompt (also if there is no physical keyboard present, you can start a new task and type in “osk.exe” for an onscreen keyboard):

Here is an image of the On-Screen Keyboard:

Next, use Internet Explorer (or whatever browser they have installed, but there is a good chance it is IE) to navigate to a website that hosts your favorite tools and exploits. Whew…well alrighty then... I hope that you enjoyed this blog post.

I'd love it if you check out the Metasploit Next Level Video Series for only $50:

2 Responses

John Pickering

great post! Always really useful in this arena to learn some step by step exploits versus the hypothetical information we always seem to get. Had a chance to take your pen testing class. It was the first at iteration and I am looking to take it again, as there were many problems with the first run, but I love that you are willing to share info! Keep it going! Thanks!